OpenStack - Theory and Practice

Sean M. Collins

@sc68cal

tl;dr

• Written in Python
• Provides API compatability with Amazon AWS
• Install on your own hardware - build your own private cloud

Original Project - Nova

• Wired: The Secret History of OpenStack, the Free Cloud Software That’s Changing Everything
• Nova used to do everything
  • Identity
  • Object Storage
  • Networking
  • Block Storage
• Nova would be split - became the compute service
• Parts of Nova that handled everything besides compute became separate projects

Components - Essex Era

• Identity Service (Keystone)
• File Service (Swift)
• Image Service (Glance)
• Compute Service (Nova)
• Dashboard (Horizon)

OpenStack - Essex

Keystone

• Ties all the other components together
• Authorization
  • Tenants
  • Users
  • Roles
• Service Catalog
  • Regions
  • APIs available in each Region

Glance

• Stores Virtual Machine Images
• AMI
• OVF
• Raw disks

Nova

• Run VMs
• Flavors
• Persistent Block Storage
• Ephemeral Storage

• # CPUs
• Memory
• Ephemeral Storage Size

Nova API Request

{
    "server" : {
	"name" : "new-server-test",
	"imageRef" : 
		"http://openstack.example.com/openstack/images/
		70a599e0-31e7-49b7-b260-868f441e862b",
	"flavorRef" : 
		"http://openstack.example.com/openstack/
		flavors/1",
	"metadata" : {
	    "My Server Name" : "Apache1"
	},
    }
}
				

Nova API response

{
    "server": {
        "adminPass": "wfksH3GTTseP",
        "id": "440cf918-3ee0-4143-b289-f63e1d2000e6",
        "links": [
            {
		"href": "http://openstack.example.com/v2/
			openstack/servers/440cf918-3ee0-4143-b289-f63e1d2000e6",
                "rel": "self"
            },
            {
		"href": "http://openstack.example.com/openstack/
			servers/440cf918-3ee0-4143-b289-f63e1d2000e6",
                "rel": "bookmark"
            }
        ]
    }
}
			    

OpenStack Architecture

• Provide a common interface
• Plugin/Drivers provides the concrete implementations

Compute API Example: "Create a VM "

Plugins for each hypervisor handle how to accomplish this request

• libvirt/KVM
• Xen
• Microsoft Hyper-V
• VMWare
• Bare Metal provisioning

OpenStack - Folsom

Notes about Folsom Architecture

• Introduction of two new services:
  • Block Storage API (Cinder)
  • Network API (Quantum)
• These services were extracted from the Nova codebase

Networking

Nova-Network

• Provided three network configuration types
• Only two are worth talking about
  • FlatDHCPManager
  • VLANManager

Nova Networking Internals on Compute nodes

• L2 (Ethernet)
  • Bridge 802.1d standard
  • Hypervisor type determines implementation (Linux bridge, Xen bridge, etc)
  • Puts the host's interface into promiscuous mode
  • Instances on the host attach to the bridge pseudo-device
  • Traffic from VM interface sent down the bridge, bridge sends to the physical device
  • Physical device transmits

Nova Networking Internals on Nova-Network host

In simple setups, one machine runs Nova-Network and provides L3 connectivity

• L3 (TCP/IP)
  • Linux iptables
  • NAT chains

Instance Networking

• Fixed IPs
  • RFC 1918 Address
  • Similar to the private IPs given to EC2 instances for cloud-only communication
• Floating IPs
  • IP addresses used to connect instances to the outside world
  • Similar to Elastic IPs from AWS

Security Groups

• Similar to the Amazon EC2 Security Group API
• Security group - consists of rules
• Each rule has a type, Source CIDR, and port range

Security Group API calls are translated into iptables chains, on the host running nova-network

Nova-Network FlatDHCPManager

Nova-Network multi host configuration

Nova-Network VLANManager

* Image credit - Mirantis

Openstack Quantum

• Networking as a service

Quantum - Concepts

• Network
• Subnet
• Port

Quantum Network

A network is an isolated virtual layer-2 broadcast domain that is typically reserved for the tenant who created it unless the network is configured to be shared. Tenants can create multiple networks until they reach the thresholds specified by per-tenant quotas.

In the Quantum API v2.0, the network is the main entity. Ports and subnets are always associated with a network.

Quantum Subnet

A subnet represents an IP address block that can be used to assign IP addresses to virtual instances. Each subnet must have a CIDR and must be associated with a network. IPs can be either selected from the whole subnet CIDR or from allocation pools that can be specified by the user.

A subnet can also optionally have a gateway, a list of dns name servers, and host routes. This information is pushed to instances whose interfaces are associated with the subnet

Quantum Port

A port represents a virtual switch port on a logical network switch. Virtual instances attach their interfaces into ports. The logical port also defines the MAC address and the IP address(es) to be assigned to the interfaces plugged into them. When IP addresses are associated to a port, this also implies the port is associated with a subnet, as the IP address was taken from the allocation pool for a specific subnet.

Quantum - Plugins

• Quantum provides a common API, for operations that are needed in a software defined networking environment
• Quantum uses plugins, which provide the concrete implementations of the APIs

Technologies used by plugins

• 802.1q (VLANs)
• 802.1Qbh
• Linux TUN/TAP devices
• GRE Tunnels

Quantum Plugins

• OpenVSwitch
• Cisco
• LinuxBridge
• Microsoft Hyper-V
• Nicira
• And many more!

Quantum - Flat Networking

• Similar to the nova-network FlatDHCP configuration

Quantum - Multiple Flat Networks

Quantum - Provider Router

Quantum - Tenant Routers

Demo

• DevStack
  • Collection of scripts that set up a development environment for hacking on OpenStack
• Vagrant+Devstack

Client Libraries

• python-novaclient
• OpenStack API client for $LANGUAGE
• Horizon dashboard